rpms
/
openssl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'up/master' into master-riscv64 

Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
This commit is contained in:
David Abdurachmanov 2020-07-23 17:14:55 +03:00
parent 5ea777e397 a75e581407
commit e164013a0f
Signed by: davidlt
GPG Key ID: 8B7F1DA0E2C9FDBB
20 changed files with 7464 additions and 914 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -47,3 +47,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.1d-hobbled.tar.xz
/openssl-1.1.1e-hobbled.tar.xz
/openssl-1.1.1f-hobbled.tar.xz
/openssl-1.1.1g-hobbled.tar.xz

27
openssl-1.1.1-alpn-cb.patch Normal file
View File

@ -0,0 +1,27 @@
commit 9e885a707d604e9528b5491b78fb9c00f41193fc
Author: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu Mar 26 15:59:00 2020 +0100
s_server: Properly indicate ALPN protocol mismatch
Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that
an alert is sent to the client on ALPN protocol mismatch.
Fixes: #2708
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11415)
diff --git a/apps/s_server.c b/apps/s_server.c
index bcc83e562c..591c6c19c5 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -707,7 +707,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
if (SSL_select_next_proto
((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
inlen) != OPENSSL_NPN_NEGOTIATED) {
- return SSL_TLSEXT_ERR_NOACK;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
}
if (!s_quiet) {

1434
openssl-1.1.1-arm-update.patch Normal file
View File

File diff suppressed because it is too large Load Diff

57
openssl-1.1.1-edk2-build.patch Normal file
View File

@ -0,0 +1,57 @@
diff -up openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1g/crypto/evp/pkey_kdf.c
--- openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build 2020-05-18 12:55:53.299548432 +0200
+++ openssl-1.1.1g/crypto/evp/pkey_kdf.c 2020-05-18 12:55:53.340548788 +0200
@@ -12,6 +12,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/kdf.h>
+#include "internal/numbers.h"
#include "crypto/evp.h"
static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1g/crypto/kdf/hkdf.c
--- openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build 2020-05-18 12:55:53.340548788 +0200
+++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:57:18.648288904 +0200
@@ -13,6 +13,7 @@
#include <openssl/hmac.h>
#include <openssl/kdf.h>
#include <openssl/evp.h>
+#include "internal/numbers.h"
#include "internal/cryptlib.h"
#include "crypto/evp.h"
#include "kdf_local.h"
diff -up openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1g/crypto/rand/rand_unix.c
--- openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build 2020-05-18 12:56:05.646655554 +0200
+++ openssl-1.1.1g/crypto/rand/rand_unix.c 2020-05-18 12:58:51.088090896 +0200
@@ -20,7 +20,7 @@
#include "crypto/fips.h"
#include <stdio.h>
#include "internal/dso.h"
-#ifdef __linux
+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI)
# include <sys/syscall.h>
# include <sys/random.h>
# ifdef DEVRANDOM_WAIT
diff -up openssl-1.1.1g/include/crypto/fips.h.edk2-build openssl-1.1.1g/include/crypto/fips.h
--- openssl-1.1.1g/include/crypto/fips.h.edk2-build 2020-05-18 12:55:53.296548406 +0200
+++ openssl-1.1.1g/include/crypto/fips.h 2020-05-18 12:55:53.340548788 +0200
@@ -50,10 +50,6 @@
#include <openssl/opensslconf.h>
#include <openssl/evp.h>
-#ifndef OPENSSL_FIPS
-# error FIPS is disabled.
-#endif
-
#ifdef OPENSSL_FIPS
int FIPS_module_mode_set(int onoff);
@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void);
void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
+#else
+
+# define fips_in_post() 0
+
#endif

40
openssl-1.1.1-fips-crng-test.patch
View File

@ -1,15 +1,17 @@
diff -up openssl-1.1.1e/crypto/rand/build.info.crng-test openssl-1.1.1e/crypto/rand/build.info
--- openssl-1.1.1e/crypto/rand/build.info.crng-test 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/rand/build.info 2020-03-19 16:45:52.286627241 +0100
@@ -1,4 +1,4 @@
diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info
--- openssl-1.1.1g/crypto/rand/build.info.crng-test 2020-04-23 13:30:45.863389837 +0200
+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:31:55.847069892 +0200
@@ -1,6 +1,6 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
- randfile.c rand_lib.c rand_err.c rand_egd.c \
+ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
diff -up openssl-1.1.1e/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1e/crypto/rand/drbg_lib.c
--- openssl-1.1.1e/crypto/rand/drbg_lib.c.crng-test 2020-03-19 16:45:52.246627936 +0100
+++ openssl-1.1.1e/crypto/rand/drbg_lib.c 2020-03-19 16:45:52.286627241 +0100
INCLUDE[drbg_ctr.o]=../modes
diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c
--- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test 2020-04-23 13:30:45.818390686 +0200
+++ openssl-1.1.1g/crypto/rand/drbg_lib.c 2020-04-23 13:30:45.864389819 +0200
@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
@ -33,9 +35,9 @@ diff -up openssl-1.1.1e/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1e/crypto/r
#ifndef RAND_DRBG_GET_RANDOM_NONCE
drbg->get_nonce = rand_drbg_get_nonce;
drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
diff -up openssl-1.1.1e/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1e/crypto/rand/rand_crng_test.c
--- openssl-1.1.1e/crypto/rand/rand_crng_test.c.crng-test 2020-03-19 16:45:52.286627241 +0100
+++ openssl-1.1.1e/crypto/rand/rand_crng_test.c 2020-03-19 16:45:52.286627241 +0100
diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c
--- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test 2020-04-23 13:30:45.864389819 +0200
+++ openssl-1.1.1g/crypto/rand/rand_crng_test.c 2020-04-23 13:30:45.864389819 +0200
@@ -0,0 +1,118 @@
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
@ -155,9 +157,9 @@ diff -up openssl-1.1.1e/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1e/cr
+{
+ OPENSSL_secure_clear_free(out, outlen);
+}
diff -up openssl-1.1.1e/crypto/rand/rand_local.h.crng-test openssl-1.1.1e/crypto/rand/rand_local.h
--- openssl-1.1.1e/crypto/rand/rand_local.h.crng-test 2020-03-19 16:45:51.930633424 +0100
+++ openssl-1.1.1e/crypto/rand/rand_local.h 2020-03-19 16:46:03.601430727 +0100
diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h
--- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test 2020-04-23 13:30:45.470397250 +0200
+++ openssl-1.1.1g/crypto/rand/rand_local.h 2020-04-23 13:30:45.864389819 +0200
@@ -33,7 +33,15 @@
# define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */
# define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */
@ -207,9 +209,9 @@ diff -up openssl-1.1.1e/crypto/rand/rand_local.h.crng-test openssl-1.1.1e/crypto
+int rand_crngt_single_init(void);
+
#endif
diff -up openssl-1.1.1e/include/crypto/rand.h.crng-test openssl-1.1.1e/include/crypto/rand.h
--- openssl-1.1.1e/include/crypto/rand.h.crng-test 2020-03-19 16:45:52.250627866 +0100
+++ openssl-1.1.1e/include/crypto/rand.h 2020-03-19 16:45:52.285627258 +0100
diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h
--- openssl-1.1.1g/include/crypto/rand.h.crng-test 2020-04-23 13:30:45.824390573 +0200
+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:30:45.864389819 +0200
@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
@ -225,9 +227,9 @@ diff -up openssl-1.1.1e/include/crypto/rand.h.crng-test openssl-1.1.1e/include/c
/*
* RAND_POOL functions
*/
diff -up openssl-1.1.1e/test/drbgtest.c.crng-test openssl-1.1.1e/test/drbgtest.c
--- openssl-1.1.1e/test/drbgtest.c.crng-test 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/test/drbgtest.c 2020-03-19 16:46:03.604430675 +0100
diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c
--- openssl-1.1.1g/test/drbgtest.c.crng-test 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/test/drbgtest.c 2020-04-23 13:30:45.865389800 +0200
@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
return t->noncelen;
}

200
openssl-1.1.1-fips-curves.patch Normal file
View File

@ -0,0 +1,200 @@
diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c
--- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves 2020-05-18 12:59:54.839643980 +0200
+++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:59:54.852644093 +0200
@@ -13,6 +13,7 @@
#include <openssl/err.h>
#include <openssl/obj_mac.h>
#include <openssl/opensslconf.h>
+#include <openssl/crypto.h>
#include "internal/nelem.h"
typedef struct {
@@ -237,6 +238,7 @@ static const struct {
typedef struct _ec_list_element_st {
int nid;
+ int fips_allowed;
const EC_CURVE_DATA *data;
const EC_METHOD *(*meth) (void);
const char *comment;
@@ -246,23 +248,23 @@ static const ec_list_element curve_list[
/* prime field curves */
/* secg curves */
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method,
"NIST/SECG curve over a 224 bit prime field"},
#else
- {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0,
+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0,
"NIST/SECG curve over a 224 bit prime field"},
#endif
- {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
+ {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0,
"SECG curve over a 256 bit prime field"},
/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
- {NID_secp384r1, &_EC_NIST_PRIME_384.h,
+ {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h,
# if defined(S390X_EC_ASM)
EC_GFp_s390x_nistp384_method,
# else
0,
# endif
"NIST/SECG curve over a 384 bit prime field"},
- {NID_secp521r1, &_EC_NIST_PRIME_521.h,
+ {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h,
# if defined(S390X_EC_ASM)
EC_GFp_s390x_nistp521_method,
# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
@@ -272,7 +274,7 @@ static const ec_list_element curve_list[
# endif
"NIST/SECG curve over a 521 bit prime field"},
/* X9.62 curves */
- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
+ {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h,
#if defined(ECP_NISTZ256_ASM)
EC_GFp_nistz256_method,
# elif defined(S390X_EC_ASM)
@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
for (i = 0; i < curve_list_length; i++)
if (curve_list[i].nid == nid) {
+ if (!curve_list[i].fips_allowed && FIPS_mode()) {
+ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME);
+ return NULL;
+ }
ret = ec_group_new_from_data(curve_list[i]);
break;
}
@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int
size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems)
{
- size_t i, min;
+ size_t i, j, num;
+ int fips_mode = FIPS_mode();
- if (r == NULL || nitems == 0)
- return curve_list_length;
+ num = curve_list_length;
+ if (fips_mode)
+ for (i = 0; i < curve_list_length; i++) {
+ if (!curve_list[i].fips_allowed)
+ --num;
+ }
- min = nitems < curve_list_length ? nitems : curve_list_length;
+ if (r == NULL || nitems == 0) {
+ return num;
+ }
- for (i = 0; i < min; i++) {
- r[i].nid = curve_list[i].nid;
- r[i].comment = curve_list[i].comment;
+ for (i = 0, j = 0; i < curve_list_length; i++) {
+ if (j >= nitems)
+ break;
+ if (!fips_mode || curve_list[i].fips_allowed) {
+ r[j].nid = curve_list[i].nid;
+ r[j].comment = curve_list[i].comment;
+ ++j;
+ }
}
- return curve_list_length;
+ return num;
}
/* Functions to translate between common NIST curve names and NIDs */
diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c
--- openssl-1.1.1g/ssl/t1_lib.c.fips-curves 2020-05-18 12:59:54.797643616 +0200
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-18 13:03:54.748725463 +0200
@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] =
#endif
};
+static const uint16_t tls12_fips_sigalgs[] = {
+#ifndef OPENSSL_NO_EC
+ TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
+ TLSEXT_SIGALG_ecdsa_secp384r1_sha384,
+ TLSEXT_SIGALG_ecdsa_secp521r1_sha512,
+#endif
+
+ TLSEXT_SIGALG_rsa_pss_pss_sha256,
+ TLSEXT_SIGALG_rsa_pss_pss_sha384,
+ TLSEXT_SIGALG_rsa_pss_pss_sha512,
+ TLSEXT_SIGALG_rsa_pss_rsae_sha256,
+ TLSEXT_SIGALG_rsa_pss_rsae_sha384,
+ TLSEXT_SIGALG_rsa_pss_rsae_sha512,
+
+ TLSEXT_SIGALG_rsa_pkcs1_sha256,
+ TLSEXT_SIGALG_rsa_pkcs1_sha384,
+ TLSEXT_SIGALG_rsa_pkcs1_sha512,
+
+#ifndef OPENSSL_NO_EC
+ TLSEXT_SIGALG_ecdsa_sha224,
+#endif
+ TLSEXT_SIGALG_rsa_pkcs1_sha224,
+#ifndef OPENSSL_NO_DSA
+ TLSEXT_SIGALG_dsa_sha224,
+ TLSEXT_SIGALG_dsa_sha256,
+ TLSEXT_SIGALG_dsa_sha384,
+ TLSEXT_SIGALG_dsa_sha512,
+#endif
+};
+
#ifndef OPENSSL_NO_EC
static const uint16_t suiteb_sigalgs[] = {
TLSEXT_SIGALG_ecdsa_secp256r1_sha256,
@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg
}
if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg))
return NULL;
+ if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */
+ return NULL;
if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se
} else if (s->cert->conf_sigalgs) {
*psigs = s->cert->conf_sigalgs;
return s->cert->conf_sigalgslen;
+ } else if (FIPS_mode()) {
+ *psigs = tls12_fips_sigalgs;
+ return OSSL_NELEM(tls12_fips_sigalgs);
} else {
*psigs = tls12_sigalgs;
return OSSL_NELEM(tls12_sigalgs);
@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s,
if (s->cert->conf_sigalgs) {
sigs = s->cert->conf_sigalgs;
siglen = s->cert->conf_sigalgslen;
+ } else if (FIPS_mode()) {
+ sigs = tls12_fips_sigalgs;
+ siglen = OSSL_NELEM(tls12_fips_sigalgs);
} else {
sigs = tls12_sigalgs;
siglen = OSSL_NELEM(tls12_sigalgs);
@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS
if (lu->sig == NID_id_GostR3410_2012_256
|| lu->sig == NID_id_GostR3410_2012_512
|| lu->sig == NID_id_GostR3410_2001) {
+ if (FIPS_mode())
+ return 0;
/* We never allow GOST sig algs on the server with TLSv1.3 */
if (s->server && SSL_IS_TLS13(s))
return 0;
@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale
const uint16_t *sent_sigs;
size_t sent_sigslen;
+ if (fatalerrs && FIPS_mode()) {
+ /* There are no suitable legacy algorithms in FIPS mode */
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
+ SSL_F_TLS_CHOOSE_SIGALG,
+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
+ return 0;
+ }
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
if (!fatalerrs)
return 1;

2806
openssl-1.1.1-fips-dh.patch Normal file
View File

File diff suppressed because it is too large Load Diff

28
openssl-1.1.1-fips-drbg-selftest.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-1.1.1e/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1e/crypto/fips/fips_post.c
--- openssl-1.1.1e/crypto/fips/fips_post.c.drbg-selftest 2020-03-19 17:07:51.096676537 +0100
+++ openssl-1.1.1e/crypto/fips/fips_post.c 2020-03-19 17:07:51.209674565 +0100
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1g/crypto/fips/fips_post.c
--- openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest 2020-04-23 13:33:12.500624151 +0200
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-04-23 13:33:12.618621925 +0200
@@ -67,12 +67,18 @@
# include <openssl/fips.h>
@ -20,18 +20,20 @@ diff -up openssl-1.1.1e/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1e/cry
if (!FIPS_selftest_drbg())
rv = 0;
if (!FIPS_selftest_sha1())
diff -up openssl-1.1.1e/crypto/rand/build.info.drbg-selftest openssl-1.1.1e/crypto/rand/build.info
--- openssl-1.1.1e/crypto/rand/build.info.drbg-selftest 2020-03-19 17:07:51.179675088 +0100
+++ openssl-1.1.1e/crypto/rand/build.info 2020-03-19 17:08:14.005276610 +0100
@@ -1,4 +1,4 @@
diff -up openssl-1.1.1g/crypto/rand/build.info.drbg-selftest openssl-1.1.1g/crypto/rand/build.info
--- openssl-1.1.1g/crypto/rand/build.info.drbg-selftest 2020-04-23 13:33:12.619621907 +0200
+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:34:10.857523497 +0200
@@ -1,6 +1,6 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
- rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
+ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c
diff -up openssl-1.1.1e/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1e/crypto/rand/drbg_selftest.c
--- openssl-1.1.1e/crypto/rand/drbg_selftest.c.drbg-selftest 2020-03-19 17:08:14.011276505 +0100
+++ openssl-1.1.1e/crypto/rand/drbg_selftest.c 2020-03-19 17:08:14.011276505 +0100
INCLUDE[drbg_ctr.o]=../modes
diff -up openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1g/crypto/rand/drbg_selftest.c
--- openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest 2020-04-23 13:33:12.619621907 +0200
+++ openssl-1.1.1g/crypto/rand/drbg_selftest.c 2020-04-23 13:33:12.619621907 +0200
@@ -0,0 +1,537 @@
+/*
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
@ -570,9 +572,9 @@ diff -up openssl-1.1.1e/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1e
+
+ return 1;
+}
diff -up openssl-1.1.1e/include/crypto/rand.h.drbg-selftest openssl-1.1.1e/include/crypto/rand.h
--- openssl-1.1.1e/include/crypto/rand.h.drbg-selftest 2020-03-19 17:07:51.182675036 +0100
+++ openssl-1.1.1e/include/crypto/rand.h 2020-03-19 17:08:14.004276627 +0100
diff -up openssl-1.1.1g/include/crypto/rand.h.drbg-selftest openssl-1.1.1g/include/crypto/rand.h
--- openssl-1.1.1g/include/crypto/rand.h.drbg-selftest 2020-04-23 13:33:12.587622510 +0200
+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:33:12.619621907 +0200
@@ -140,4 +140,9 @@ void rand_pool_cleanup(void);
*/
void rand_pool_keep_random_devices_open(int keep);

155
openssl-1.1.1-fips.patch
View File

@ -1,15 +1,15 @@
diff -up openssl-1.1.1e/apps/pkcs12.c.fips openssl-1.1.1e/apps/pkcs12.c
--- openssl-1.1.1e/apps/pkcs12.c.fips 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/apps/pkcs12.c 2020-03-17 17:30:52.020567497 +0100
@@ -127,7 +127,7 @@ int pkcs12_main(int argc, char **argv)
diff -up openssl-1.1.1g/apps/pkcs12.c.fips openssl-1.1.1g/apps/pkcs12.c
--- openssl-1.1.1g/apps/pkcs12.c.fips 2020-04-23 13:26:06.975649817 +0200
+++ openssl-1.1.1g/apps/pkcs12.c 2020-04-23 13:28:27.689995889 +0200
@@ -123,7 +123,7 @@ int pkcs12_main(int argc, char **argv)
int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;
# ifndef OPENSSL_NO_RC2
#ifndef OPENSSL_NO_RC2
- int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+ int cert_pbe = FIPS_mode() ? NID_pbe_WithSHA1And3_Key_TripleDES_CBC : NID_pbe_WithSHA1And40BitRC2_CBC;
# else
#else
int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
# endif
#endif
diff -up openssl-1.1.1e/apps/speed.c.fips openssl-1.1.1e/apps/speed.c
--- openssl-1.1.1e/apps/speed.c.fips 2020-03-17 17:30:51.997567897 +0100
+++ openssl-1.1.1e/apps/speed.c 2020-03-17 17:30:52.021567479 +0100
@ -879,128 +879,6 @@ diff -up openssl-1.1.1e/crypto/ec/ec_pmeth.c.fips openssl-1.1.1e/crypto/ec/ec_pm
pkey_ec_init,
pkey_ec_copy,
pkey_ec_cleanup,
diff -up openssl-1.1.1e/crypto/evp/c_allc.c.fips openssl-1.1.1e/crypto/evp/c_allc.c
--- openssl-1.1.1e/crypto/evp/c_allc.c.fips 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/evp/c_allc.c 2020-03-17 17:30:52.027567375 +0100
@@ -17,6 +17,9 @@
void openssl_add_all_ciphers_int(void)
{
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode()) {
+#endif
#ifndef OPENSSL_NO_DES
EVP_add_cipher(EVP_des_cfb());
EVP_add_cipher(EVP_des_cfb1());
@@ -263,4 +266,70 @@ void openssl_add_all_ciphers_int(void)
EVP_add_cipher(EVP_chacha20_poly1305());
# endif
#endif
+#ifdef OPENSSL_FIPS
+ } else {
+# ifndef OPENSSL_NO_DES
+ EVP_add_cipher(EVP_des_ede3_cfb());
+
+ EVP_add_cipher(EVP_des_ede3_ofb());
+
+ EVP_add_cipher(EVP_des_ede3_cbc());
+ EVP_add_cipher_alias(SN_des_ede3_cbc, "DES3");
+ EVP_add_cipher_alias(SN_des_ede3_cbc, "des3");
+
+ EVP_add_cipher(EVP_des_ede3());
+ EVP_add_cipher_alias(SN_des_ede3_ecb, "DES-EDE3-ECB");
+ EVP_add_cipher_alias(SN_des_ede3_ecb, "des-ede3-ecb");
+ EVP_add_cipher(EVP_des_ede3_wrap());
+ EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap");
+# endif
+
+# ifndef OPENSSL_NO_AES
+ EVP_add_cipher(EVP_aes_128_ecb());
+ EVP_add_cipher(EVP_aes_128_cbc());
+ EVP_add_cipher(EVP_aes_128_cfb());
+ EVP_add_cipher(EVP_aes_128_cfb1());
+ EVP_add_cipher(EVP_aes_128_cfb8());
+ EVP_add_cipher(EVP_aes_128_ofb());
+ EVP_add_cipher(EVP_aes_128_ctr());
+ EVP_add_cipher(EVP_aes_128_gcm());
+ EVP_add_cipher(EVP_aes_128_xts());
+ EVP_add_cipher(EVP_aes_128_ccm());
+ EVP_add_cipher(EVP_aes_128_wrap());
+ EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap");
+ EVP_add_cipher(EVP_aes_128_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_128_cbc, "AES128");
+ EVP_add_cipher_alias(SN_aes_128_cbc, "aes128");
+ EVP_add_cipher(EVP_aes_192_ecb());
+ EVP_add_cipher(EVP_aes_192_cbc());
+ EVP_add_cipher(EVP_aes_192_cfb());
+ EVP_add_cipher(EVP_aes_192_cfb1());
+ EVP_add_cipher(EVP_aes_192_cfb8());
+ EVP_add_cipher(EVP_aes_192_ofb());
+ EVP_add_cipher(EVP_aes_192_ctr());
+ EVP_add_cipher(EVP_aes_192_gcm());
+ EVP_add_cipher(EVP_aes_192_ccm());
+ EVP_add_cipher(EVP_aes_192_wrap());
+ EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap");
+ EVP_add_cipher(EVP_aes_192_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_192_cbc, "AES192");
+ EVP_add_cipher_alias(SN_aes_192_cbc, "aes192");
+ EVP_add_cipher(EVP_aes_256_ecb());
+ EVP_add_cipher(EVP_aes_256_cbc());
+ EVP_add_cipher(EVP_aes_256_cfb());
+ EVP_add_cipher(EVP_aes_256_cfb1());
+ EVP_add_cipher(EVP_aes_256_cfb8());
+ EVP_add_cipher(EVP_aes_256_ofb());
+ EVP_add_cipher(EVP_aes_256_ctr());
+ EVP_add_cipher(EVP_aes_256_gcm());
+ EVP_add_cipher(EVP_aes_256_xts());
+ EVP_add_cipher(EVP_aes_256_ccm());
+ EVP_add_cipher(EVP_aes_256_wrap());
+ EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap");
+ EVP_add_cipher(EVP_aes_256_wrap_pad());
+ EVP_add_cipher_alias(SN_aes_256_cbc, "AES256");
+ EVP_add_cipher_alias(SN_aes_256_cbc, "aes256");
+# endif
+ }
+#endif
}
diff -up openssl-1.1.1e/crypto/evp/c_alld.c.fips openssl-1.1.1e/crypto/evp/c_alld.c
--- openssl-1.1.1e/crypto/evp/c_alld.c.fips 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/evp/c_alld.c 2020-03-17 17:30:52.027567375 +0100
@@ -16,6 +16,9 @@
void openssl_add_all_digests_int(void)
{
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode()) {
+#endif
#ifndef OPENSSL_NO_MD4
EVP_add_digest(EVP_md4());
#endif
@@ -57,4 +60,24 @@ void openssl_add_all_digests_int(void)
EVP_add_digest(EVP_sha3_512());
EVP_add_digest(EVP_shake128());
EVP_add_digest(EVP_shake256());
+#ifdef OPENSSL_FIPS
+ } else {
+ EVP_add_digest(EVP_md5_sha1());
+ EVP_add_digest(EVP_sha1());
+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
+ EVP_add_digest(EVP_sha224());
+ EVP_add_digest(EVP_sha256());
+ EVP_add_digest(EVP_sha384());
+ EVP_add_digest(EVP_sha512());
+ EVP_add_digest(EVP_sha512_224());
+ EVP_add_digest(EVP_sha512_256());
+ EVP_add_digest(EVP_sha3_224());
+ EVP_add_digest(EVP_sha3_256());
+ EVP_add_digest(EVP_sha3_384());
+ EVP_add_digest(EVP_sha3_512());
+ EVP_add_digest(EVP_shake128());
+ EVP_add_digest(EVP_shake256());
+ }
+#endif
}
diff -up openssl-1.1.1e/crypto/evp/digest.c.fips openssl-1.1.1e/crypto/evp/digest.c
--- openssl-1.1.1e/crypto/evp/digest.c.fips 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/evp/digest.c 2020-03-17 17:38:57.528093469 +0100
@ -2303,7 +2181,7 @@ diff -up openssl-1.1.1e/crypto/fips/fips.c.fips openssl-1.1.1e/crypto/fips/fips.
+ rv = 0;
+
+ /* Installed == true */
+ return !rv;
+ return !rv || FIPS_module_mode();
+}
+
+int FIPS_module_mode_set(int onoff)
@ -9865,7 +9743,7 @@ diff -up openssl-1.1.1e/crypto/o_fips.c.fips openssl-1.1.1e/crypto/o_fips.c
diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
--- openssl-1.1.1e/crypto/o_init.c.fips 2020-03-17 15:31:17.000000000 +0100
+++ openssl-1.1.1e/crypto/o_init.c 2020-03-17 17:30:52.052566939 +0100
@@ -7,8 +7,68 @@
@@ -7,8 +7,69 @@
* https://www.openssl.org/source/license.html
*/
@ -9891,16 +9769,20 @@ diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
+ char buf[2] = "0";
+ int fd;
+
+ /* Ensure the selftests always run */
+ /* XXX: TO SOLVE - premature initialization due to selftests */
+ FIPS_mode_set(1);
+
+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
+ buf[0] = '1';
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
+ close(fd);
+ }
+
+ if (buf[0] != '1' && !FIPS_module_installed())
+ return;
+
+ /* Ensure the selftests always run */
+ /* XXX: TO SOLVE - premature initialization due to selftests */
+ FIPS_mode_set(1);
+
+ /* Failure reading the fips mode switch file means just not
+ * switching into FIPS mode. We would break too many things
+ * otherwise..
@ -9925,9 +9807,6 @@ diff -up openssl-1.1.1e/crypto/o_init.c.fips openssl-1.1.1e/crypto/o_init.c
+ if (done)
+ return;
+ done = 1;
+ if (!FIPS_module_installed()) {
+ return;
+ }
+ init_fips_mode();
+}
+#endif

170
openssl-1.1.1-kdf-selftest.patch Normal file
View File

@ -0,0 +1,170 @@
diff -up openssl-1.1.1g/crypto/fips/build.info.kdf-selftest openssl-1.1.1g/crypto/fips/build.info
--- openssl-1.1.1g/crypto/fips/build.info.kdf-selftest 2020-06-03 16:08:36.274849058 +0200
+++ openssl-1.1.1g/crypto/fips/build.info 2020-06-03 16:11:05.609079372 +0200
@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\
fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
- fips_dh_selftest.c fips_ers.c
+ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c
PROGRAMS_NO_INST=\
fips_standalone_hmac
diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c
--- openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest 2020-06-03 16:08:36.337849577 +0200
+++ openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c 2020-06-03 16:08:36.337849577 +0200
@@ -0,0 +1,117 @@
+/*
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
+#include "crypto/fips.h"
+
+#include <openssl/evp.h>
+#include <openssl/kdf.h>
+
+#ifdef OPENSSL_FIPS
+int FIPS_selftest_pbkdf2(void)
+{
+ int ret = 0;
+ EVP_KDF_CTX *kctx;
+ unsigned char out[32];
+
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
+ goto err;
+ }
+
+ {
+ const unsigned char expected[sizeof(out)] = {
+ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
+ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
+ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
+ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
+ };
+ if (memcmp(out, expected, sizeof(expected))) {
+ goto err;
+ }
+ }
+ ret = 1;
+
+err:
+ if (!ret)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED);
+ EVP_KDF_CTX_free(kctx);
+ return ret;
+}
+
+/* Test vector from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos
+ * 5) appendix A. */
+int FIPS_selftest_kbkdf(void)
+{
+ int ret = 0;
+ EVP_KDF_CTX *kctx;
+ char *label = "prf", *prf_input = "test";
+ static unsigned char input_key[] = {
+ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28,
+ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C,
+ };
+ static unsigned char output[] = {
+ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE,
+ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86,
+ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B,
+ 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95,
+ };
+ unsigned char result[sizeof(output)] = { 0 };
+
+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) {
+ goto err;
+ }
+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) {
+ goto err;
+ }
+ ret = EVP_KDF_derive(kctx, result, sizeof(result)) > 0
+ && memcmp(result, output, sizeof(output)) == 0;
+err:
+
+ if (!ret)
+ FIPSerr(FIPS_F_FIPS_SELFTEST_KBKDF, FIPS_R_SELFTEST_FAILED);
+ EVP_KDF_CTX_free(kctx);
+ return ret;
+}
+
+int FIPS_selftest_kdf(void)
+{
+ return FIPS_selftest_pbkdf2() && FIPS_selftest_kbkdf();
+}
+
+#endif
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_post.c
--- openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest 2020-06-03 16:08:36.332849536 +0200
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-03 16:08:36.338849585 +0200
@@ -111,6 +111,8 @@ int FIPS_selftest(void)
rv = 0;
if (!FIPS_selftest_ecdh())
rv = 0;
+ if (!FIPS_selftest_kdf())
+ rv = 0;
return rv;
}
diff -up openssl-1.1.1g/include/crypto/fips.h.kdf-selftest openssl-1.1.1g/include/crypto/fips.h
--- openssl-1.1.1g/include/crypto/fips.h.kdf-selftest 2020-06-03 16:08:36.330849519 +0200
+++ openssl-1.1.1g/include/crypto/fips.h 2020-06-03 16:08:36.338849585 +0200
@@ -72,6 +72,9 @@ void FIPS_drbg_stick(int onoff);
int FIPS_selftest_hmac(void);
int FIPS_selftest_drbg(void);
int FIPS_selftest_cmac(void);
+int FIPS_selftest_kbkdf(void);
+int FIPS_selftest_pbkdf2(void);
+int FIPS_selftest_kdf(void);
int fips_in_post(void);
diff -up openssl-1.1.1g/include/openssl/fips.h.kdf-selftest openssl-1.1.1g/include/openssl/fips.h
--- openssl-1.1.1g/include/openssl/fips.h.kdf-selftest 2020-06-03 16:08:36.282849124 +0200
+++ openssl-1.1.1g/include/openssl/fips.h 2020-06-03 16:08:36.338849585 +0200
@@ -123,6 +123,8 @@ extern "C" {
# define FIPS_F_FIPS_SELFTEST_DSA 112
# define FIPS_F_FIPS_SELFTEST_ECDSA 133
# define FIPS_F_FIPS_SELFTEST_HMAC 113
+# define FIPS_F_FIPS_SELFTEST_KBKDF 151
+# define FIPS_F_FIPS_SELFTEST_PBKDF2 152
# define FIPS_F_FIPS_SELFTEST_SHA1 115
# define FIPS_F_FIPS_SELFTEST_SHA2 105
# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143

44
openssl-1.1.1-reneg-no-extms.patch Normal file
View File

@ -0,0 +1,44 @@
diff -up openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms openssl-1.1.1g/include/openssl/ssl3.h
--- openssl-1.1.1g/include/openssl/ssl3.h.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/include/openssl/ssl3.h 2020-06-05 15:20:22.090682776 +0200
@@ -292,6 +292,9 @@ extern "C" {
# define TLS1_FLAGS_STATELESS 0x0800
+/* Set if extended master secret extension required on renegotiation */
+# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000
+
# define SSL3_MT_HELLO_REQUEST 0
# define SSL3_MT_CLIENT_HELLO 1
# define SSL3_MT_SERVER_HELLO 2
diff -up openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms openssl-1.1.1g/ssl/statem/extensions.c
--- openssl-1.1.1g/ssl/statem/extensions.c.reneg-no-extms 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/ssl/statem/extensions.c 2020-06-05 15:22:19.677653437 +0200
@@ -1168,14 +1168,26 @@ static int init_etm(SSL *s, unsigned int
static int init_ems(SSL *s, unsigned int context)
{
- if (!s->server)
+ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
+ }
return 1;
}
static int final_ems(SSL *s, unsigned int context, int sent)
{
+ /*
+ * Check extended master secret extension is not dropped on
+ * renegotiation.
+ */
+ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
+ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
+ SSL_R_INCONSISTENT_EXTMS);
+ return 0;
+ }
if (!s->server && s->hit) {
/*
* Check extended master secret extension is consistent with

170
openssl-1.1.1-rewire-fips-drbg.patch Normal file
View File

@ -0,0 +1,170 @@
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_lib.c
--- openssl-1.1.1g/crypto/fips/fips_drbg_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200
+++ openssl-1.1.1g/crypto/fips/fips_drbg_lib.c 2020-06-22 13:32:47.675852917 +0200
@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx,
int FIPS_drbg_reseed(DRBG_CTX *dctx,
const unsigned char *adin, size_t adinlen)
{
+ int len = (int)adinlen;
+
+ if (len < 0 || (size_t)len != adinlen) {
+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
+ return 0;
+ }
+ RAND_seed(adin, len);
+ return 1;
+}
+
+int FIPS_drbg_reseed_internal(DRBG_CTX *dctx,
+ const unsigned char *adin, size_t adinlen)
+{
return drbg_reseed(dctx, adin, adinlen, 1);
}
@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u
int prediction_resistance,
const unsigned char *adin, size_t adinlen)
{
+ int len = (int)outlen;
+
+ if (len < 0 || (size_t)len != outlen) {
+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG);
+ return 0;
+ }
+ return RAND_bytes(out, len);
+}
+
+int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
+ int prediction_resistance,
+ const unsigned char *adin, size_t adinlen)
+{
int r = 0;
if (FIPS_selftest_failed()) {
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_rand.c
--- openssl-1.1.1g/crypto/fips/fips_drbg_rand.c.rewire-fips-drbg 2020-06-22 13:32:47.611852927 +0200
+++ openssl-1.1.1g/crypto/fips/fips_drbg_rand.c 2020-06-22 13:32:47.675852917 +0200
@@ -57,6 +57,8 @@
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/fips.h>
+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
#include <openssl/fips_rand.h>
#include "fips_rand_lcl.h"
diff -up openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c
--- openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c.rewire-fips-drbg 2020-06-22 13:32:47.612852927 +0200
+++ openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c 2020-06-22 13:32:47.675852917 +0200
@@ -55,6 +55,8 @@
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/fips.h>
+#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
+#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
#include <openssl/fips_rand.h>
#include "fips_rand_lcl.h"
#include "fips_locl.h"
diff -up openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_post.c
--- openssl-1.1.1g/crypto/fips/fips_post.c.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200
+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-22 13:32:47.675852917 +0200
@@ -79,8 +79,6 @@ int FIPS_selftest(void)
ERR_add_error_data(2, "Type=", "rand_drbg_selftest");
rv = 0;
}
- if (!FIPS_selftest_drbg())
- rv = 0;
if (!FIPS_selftest_sha1())
rv = 0;
if (!FIPS_selftest_sha2())
diff -up openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg openssl-1.1.1g/crypto/fips/fips_rand_lib.c
--- openssl-1.1.1g/crypto/fips/fips_rand_lib.c.rewire-fips-drbg 2020-06-22 13:32:47.613852927 +0200
+++ openssl-1.1.1g/crypto/fips/fips_rand_lib.c 2020-06-22 13:36:28.722817967 +0200
@@ -120,6 +120,7 @@ void FIPS_rand_reset(void)
int FIPS_rand_seed(const void *buf, int num)
{
+#if 0
if (!fips_approved_rand_meth && FIPS_module_mode()) {
FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
return 0;
@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int
if (fips_rand_meth && fips_rand_meth->seed)
fips_rand_meth->seed(buf, num);
return 1;
+#else
+ RAND_seed(buf, num);
+ return 1;
+#endif
}
int FIPS_rand_bytes(unsigned char *buf, int num)
{
+#if 0
if (!fips_approved_rand_meth && FIPS_module_mode()) {
FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
return 0;
@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf,
if (fips_rand_meth && fips_rand_meth->bytes)
return fips_rand_meth->bytes(buf, num);
return 0;
+#else
+ return RAND_bytes(buf, num);
+#endif
}
int FIPS_rand_status(void)
{
+#if 0
if (!fips_approved_rand_meth && FIPS_module_mode()) {
FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
return 0;
@@ -149,6 +159,9 @@ int FIPS_rand_status(void)
if (fips_rand_meth && fips_rand_meth->status)
return fips_rand_meth->status();
return 0;
+#else
+ return RAND_status();
+#endif
}
/* Return instantiated strength of PRNG. For DRBG this is an internal
diff -up openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips.h
--- openssl-1.1.1g/include/openssl/fips.h.rewire-fips-drbg 2020-06-22 13:32:47.672852918 +0200
+++ openssl-1.1.1g/include/openssl/fips.h 2020-06-22 13:32:47.675852917 +0200
@@ -64,6 +64,11 @@ extern "C" {
int FIPS_selftest(void);
int FIPS_selftest_failed(void);
+
+ /*
+ * This function is deprecated as it performs selftest of the old FIPS drbg
+ * implementation that is not validated.
+ */
int FIPS_selftest_drbg_all(void);
int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
diff -up openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg openssl-1.1.1g/include/openssl/fips_rand.h
--- openssl-1.1.1g/include/openssl/fips_rand.h.rewire-fips-drbg 2020-06-22 13:32:47.617852926 +0200
+++ openssl-1.1.1g/include/openssl/fips_rand.h 2020-06-22 13:32:47.675852917 +0200
@@ -60,6 +60,20 @@
# ifdef __cplusplus
extern "C" {
# endif
+
+/*
+ * IMPORTANT NOTE:
+ * All functions in this header file are deprecated and should not be used
+ * as they use the old FIPS_drbg implementation that is not FIPS validated
+ * anymore.
+ * To provide backwards compatibility for applications that need FIPS compliant
+ * RNG number generation and use FIPS_drbg_generate, this function was
+ * re-wired to call the FIPS validated DRBG instance instead through
+ * the RAND_bytes() call.
+ *
+ * All these functions will be removed in future.
+ */
+
typedef struct drbg_ctx_st DRBG_CTX;
/* DRBG external flags */
/* Flag for CTR mode only: use derivation function ctr_df */

2306
openssl-1.1.1-s390x-ecc.patch Normal file
View File

File diff suppressed because it is too large Load Diff

133
openssl-1.1.1-seclevel.patch
View File

@ -1,7 +1,7 @@
diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c
--- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200
+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-10-01 09:52:23.535298908 +0200
@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c
diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c
--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/crypto/x509/x509_vfy.c 2020-06-05 17:16:54.835536823 +0200
@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c
}
static const int minbits_table[] = { 80, 112, 128, 192, 256 };
@ -9,20 +9,23 @@ diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509
static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
/*
@@ -3264,6 +3265,8 @@ static int check_sig_level(X509_STORE_CT
@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT
if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
return 0;
-
- return secbits >= minbits_table[level - 1];
+ /* Allow SHA1 in SECLEVEL 2 in non-FIPS mode */
+ if (FIPS_mode())
+ /*
+ * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic
+ * disable SHA1 flag is not set.
+ */
+ if ((ctx->param->flags & 0x40000000) || FIPS_mode())
+ return secbits >= minbits_table[level - 1];
+ return secbits >= minbits_digest_table[level - 1];
}
diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod
--- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200
+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-10-01 09:52:23.535298908 +0200
diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod
--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod 2020-06-04 15:48:01.608178833 +0200
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
=item B<Level 2>
@ -36,23 +39,115 @@ diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-
In addition to the level 1 exclusions any cipher suite using RC4 is also
prohibited. SSL version 3 is also not allowed. Compression is disabled.
diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
--- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200
+++ openssl-1.1.1/ssl/ssl_cert.c 2018-10-12 15:29:12.673799305 +0200
@@ -983,6 +983,9 @@ static int ssl_security_default_callback
diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c
--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/ssl/ssl_cert.c 2020-06-05 17:10:11.842198401 +0200
@@ -27,6 +27,7 @@
static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
int op, int bits, int nid, void *other,
void *ex);
+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx);
static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
static volatile int ssl_x509_store_ctx_idx = -1;
@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_
X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
/* Set suite B flags if needed */
- X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
+ X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL));
if (!X509_STORE_CTX_set_ex_data
(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
goto end;
@@ -953,12 +954,33 @@ static int ssl_security_default_callback
return 0;
break;
default:
+ /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
+ if (nid == NID_sha1 && minbits == 112 && !FIPS_mode())
+ if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx))
+ break;
if (bits < minbits)
return 0;
}
diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t
--- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel 2018-09-11 14:48:24.000000000 +0200
+++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-10-01 09:52:23.535298908 +0200
@@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
return 1;
}
+static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx)
+{
+ unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */
+ const CERT *c;
+
+ if (FIPS_mode())
+ return ret;
+
+ if (ctx != NULL) {
+ c = ctx->cert;
+ } else {
+ c = s->cert;
+ }
+ if (tls1_cert_sigalgs_have_sha1(c))
+ return 0;
+ return ret;
+}
+
int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
{
return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h
--- openssl-1.1.1g/ssl/ssl_local.h.seclevel 2020-06-04 15:48:01.602178783 +0200
+++ openssl-1.1.1g/ssl/ssl_local.h 2020-06-05 17:02:22.666313410 +0200
@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC
__owur int tls1_process_sigalgs(SSL *s);
__owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
__owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
+int tls1_cert_sigalgs_have_sha1(const CERT *c);
__owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
# ifndef OPENSSL_NO_EC
__owur int tls_check_sigalg_curve(const SSL *s, int curve);
diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c
--- openssl-1.1.1g/ssl/t1_lib.c.seclevel 2020-06-04 15:48:01.654179221 +0200
+++ openssl-1.1.1g/ssl/t1_lib.c 2020-06-05 17:02:40.268459157 +0200
@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int
return 0;
}
+static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen)
+{
+ size_t i;
+
+ for (i = 0; i < sigalgslen; i++, sigalgs++) {
+ const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
+
+ if (lu == NULL)
+ continue;
+ if (lu->hash == NID_sha1)
+ return 1;
+ }
+ return 0;
+}
+
+
+int tls1_cert_sigalgs_have_sha1(const CERT *c)
+{
+ if (c->client_sigalgs != NULL) {
+ if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen))
+ return 1;
+ }
+ if (c->conf_sigalgs != NULL) {
+ if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen))
+ return 1;
+ return 0;
+ }
+ return 1;
+}
+
static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
{
int sig_nid, use_pc_sigalgs = 0;
diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t
--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel 2020-04-21 14:22:39.000000000 +0200
+++ openssl-1.1.1g/test/recipes/25-test_verify.t 2020-06-04 15:48:01.608178833 +0200
@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
"CA with PSS signature using SHA256");

36
openssl-1.1.1-status-request.patch
View File

@ -1,36 +0,0 @@
From 93e26cedac20844733d59f33e313880da17fa23a Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Thu, 5 Sep 2019 16:43:57 +0100
Subject: [PATCH 1/2] Don't send a status_request extension in a
CertificateRequest message
If a TLSv1.3 server configured to respond to the status_request extension
also attempted to send a CertificateRequest then it was incorrectly
inserting a non zero length status_request extension into that message.
The TLSv1.3 RFC does allow that extension in that message but it must
always be zero length.
In fact we should not be sending the extension at all in that message
because we don't support it.
Fixes #9767
---
ssl/statem/extensions_srvr.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index e16722cbeb8..1c023fc6c40 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1491,6 +1491,10 @@ EXT_RETURN tls_construct_stoc_status_request(SSL *s, WPACKET *pkt,
unsigned int context, X509 *x,
size_t chainidx)
{
+ /* We don't currently support this extension inside a CertificateRequest */
+ if (context == SSL_EXT_TLS1_3_CERTIFICATE_REQUEST)
+ return EXT_RETURN_NOT_SENT;
+
if (!s->ext.status_expected)
return EXT_RETURN_NOT_SENT;

671
openssl-1.1.1-upstream-sync.patch
View File

@ -1,671 +0,0 @@
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 336afc989d..831b74ce6c 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -1297,5 +1297,7 @@ int ECDSA_size(const EC_KEY *r)
i = i2d_ASN1_INTEGER(&bs, NULL);
i += i; /* r and s */
ret = ASN1_object_size(1, i, V_ASN1_SEQUENCE);
+ if (ret < 0)
+ return 0;
return ret;
}
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 3554ada827..22b00e203d 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -1007,14 +1007,14 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
size_t i = 0;
BN_CTX *new_ctx = NULL;
- if ((scalar == NULL) && (num == 0)) {
- return EC_POINT_set_to_infinity(group, r);
- }
-
if (!ec_point_is_compat(r, group)) {
ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
+
+ if (scalar == NULL && num == 0)
+ return EC_POINT_set_to_infinity(group, r);
+
for (i = 0; i < num; i++) {
if (!ec_point_is_compat(points[i], group)) {
ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index 7980a67282..d2e4773270 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -260,17 +260,10 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
goto err;
}
- /*-
- * Apply coordinate blinding for EC_POINT.
- *
- * The underlying EC_METHOD can optionally implement this function:
- * ec_point_blind_coordinates() returns 0 in case of errors or 1 on
- * success or if coordinate blinding is not implemented for this
- * group.
- */
- if (!ec_point_blind_coordinates(group, p, ctx)) {
- ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_POINT_COORDINATES_BLIND_FAILURE);
- goto err;
+ /* ensure input point is in affine coords for ladder step efficiency */
+ if (!p->Z_is_one && !EC_POINT_make_affine(group, p, ctx)) {
+ ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_EC_LIB);
+ goto err;
}
/* Initialize the Montgomery ladder */
@@ -747,6 +740,20 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
if (r_is_at_infinity) {
if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))
goto err;
+
+ /*-
+ * Apply coordinate blinding for EC_POINT.
+ *
+ * The underlying EC_METHOD can optionally implement this function:
+ * ec_point_blind_coordinates() returns 0 in case of errors or 1 on
+ * success or if coordinate blinding is not implemented for this
+ * group.
+ */
+ if (!ec_point_blind_coordinates(group, r, ctx)) {
+ ECerr(EC_F_EC_WNAF_MUL, EC_R_POINT_COORDINATES_BLIND_FAILURE);
+ goto err;
+ }
+
r_is_at_infinity = 0;
} else {
if (!EC_POINT_add
diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c
index b354bfe9ce..6903db58ff 100644
--- a/crypto/ec/ecp_smpl.c
+++ b/crypto/ec/ecp_smpl.c
@@ -1372,6 +1372,7 @@ int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
* Computes the multiplicative inverse of a in GF(p), storing the result in r.
* If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
* Since we don't have a Mont structure here, SCA hardening is with blinding.
+ * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.)
*/
int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx)
@@ -1431,112 +1432,133 @@ int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
temp = BN_CTX_get(ctx);
if (temp == NULL) {
ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_MALLOC_FAILURE);
- goto err;
+ goto end;
}
- /* make sure lambda is not zero */
+ /*-
+ * Make sure lambda is not zero.
+ * If the RNG fails, we cannot blind but nevertheless want
+ * code to continue smoothly and not clobber the error stack.
+ */
do {
- if (!BN_priv_rand_range(lambda, group->field)) {
- ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_BN_LIB);
- goto err;
+ ERR_set_mark();
+ ret = BN_priv_rand_range(lambda, group->field);
+ ERR_pop_to_mark();
+ if (ret == 0) {
+ ret = 1;
+ goto end;
}
} while (BN_is_zero(lambda));
/* if field_encode defined convert between representations */
- if (group->meth->field_encode != NULL
- && !group->meth->field_encode(group, lambda, lambda, ctx))
- goto err;
- if (!group->meth->field_mul(group, p->Z, p->Z, lambda, ctx))
- goto err;
- if (!group->meth->field_sqr(group, temp, lambda, ctx))
- goto err;
- if (!group->meth->field_mul(group, p->X, p->X, temp, ctx))
- goto err;
- if (!group->meth->field_mul(group, temp, temp, lambda, ctx))
- goto err;
- if (!group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
- goto err;
- p->Z_is_one = 0;
+ if ((group->meth->field_encode != NULL
+ && !group->meth->field_encode(group, lambda, lambda, ctx))
+ || !group->meth->field_mul(group, p->Z, p->Z, lambda, ctx)
+ || !group->meth->field_sqr(group, temp, lambda, ctx)
+ || !group->meth->field_mul(group, p->X, p->X, temp, ctx)
+ || !group->meth->field_mul(group, temp, temp, lambda, ctx)
+ || !group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
+ goto end;
+ p->Z_is_one = 0;
ret = 1;
- err:
+ end:
BN_CTX_end(ctx);
return ret;
}
/*-
- * Set s := p, r := 2p.
+ * Input:
+ * - p: affine coordinates
+ *
+ * Output:
+ * - s := p, r := 2p: blinded projective (homogeneous) coordinates
*
* For doubling we use Formula 3 from Izu-Takagi "A fast parallel elliptic curve
- * multiplication resistant against side channel attacks" appendix, as described
- * at
+ * multiplication resistant against side channel attacks" appendix, described at
* https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
+ * simplified for Z1=1.
*
- * The input point p will be in randomized Jacobian projective coords:
- * x = X/Z**2, y=Y/Z**3
- *
- * The output points p, s, and r are converted to standard (homogeneous)
- * projective coords:
- * x = X/Z, y=Y/Z
+ * Blinding uses the equivalence relation (\lambda X, \lambda Y, \lambda Z)
+ * for any non-zero \lambda that holds for projective (homogeneous) coords.
*/
int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
EC_POINT *r, EC_POINT *s,
EC_POINT *p, BN_CTX *ctx)
{
- BIGNUM *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
+ BIGNUM *t1, *t2, *t3, *t4, *t5 = NULL;
- t1 = r->Z;
- t2 = r->Y;
+ t1 = s->Z;
+ t2 = r->Z;
t3 = s->X;
t4 = r->X;
t5 = s->Y;
- t6 = s->Z;
-
- /* convert p: (X,Y,Z) -> (XZ,Y,Z**3) */
- if (!group->meth->field_mul(group, p->X, p->X, p->Z, ctx)
- || !group->meth->field_sqr(group, t1, p->Z, ctx)
- || !group->meth->field_mul(group, p->Z, p->Z, t1, ctx)
- /* r := 2p */
- || !group->meth->field_sqr(group, t2, p->X, ctx)
- || !group->meth->field_sqr(group, t3, p->Z, ctx)
- || !group->meth->field_mul(group, t4, t3, group->a, ctx)
- || !BN_mod_sub_quick(t5, t2, t4, group->field)
- || !BN_mod_add_quick(t2, t2, t4, group->field)
- || !group->meth->field_sqr(group, t5, t5, ctx)
- || !group->meth->field_mul(group, t6, t3, group->b, ctx)
- || !group->meth->field_mul(group, t1, p->X, p->Z, ctx)
- || !group->meth->field_mul(group, t4, t1, t6, ctx)
- || !BN_mod_lshift_quick(t4, t4, 3, group->field)
+
+ if (!p->Z_is_one /* r := 2p */
+ || !group->meth->field_sqr(group, t3, p->X, ctx)
+ || !BN_mod_sub_quick(t4, t3, group->a, group->field)
+ || !group->meth->field_sqr(group, t4, t4, ctx)
+ || !group->meth->field_mul(group, t5, p->X, group->b, ctx)
+ || !BN_mod_lshift_quick(t5, t5, 3, group->field)
/* r->X coord output */
- || !BN_mod_sub_quick(r->X, t5, t4, group->field)
- || !group->meth->field_mul(group, t1, t1, t2, ctx)
- || !group->meth->field_mul(group, t2, t3, t6, ctx)
- || !BN_mod_add_quick(t1, t1, t2, group->field)
+ || !BN_mod_sub_quick(r->X, t4, t5, group->field)
+ || !BN_mod_add_quick(t1, t3, group->a, group->field)
+ || !group->meth->field_mul(group, t2, p->X, t1, ctx)
+ || !BN_mod_add_quick(t2, group->b, t2, group->field)
/* r->Z coord output */
- || !BN_mod_lshift_quick(r->Z, t1, 2, group->field)
- || !EC_POINT_copy(s, p))
+ || !BN_mod_lshift_quick(r->Z, t2, 2, group->field))
+ return 0;
+
+ /* make sure lambda (r->Y here for storage) is not zero */
+ do {
+ if (!BN_priv_rand_range(r->Y, group->field))
+ return 0;
+ } while (BN_is_zero(r->Y));
+
+ /* make sure lambda (s->Z here for storage) is not zero */
+ do {
+ if (!BN_priv_rand_range(s->Z, group->field))
+ return 0;
+ } while (BN_is_zero(s->Z));
+
+ /* if field_encode defined convert between representations */
+ if (group->meth->field_encode != NULL
+ && (!group->meth->field_encode(group, r->Y, r->Y, ctx)
+ || !group->meth->field_encode(group, s->Z, s->Z, ctx)))
+ return 0;
+
+ /* blind r and s independently */
+ if (!group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx)
+ || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx)
+ || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx)) /* s := p */
return 0;
r->Z_is_one = 0;
s->Z_is_one = 0;
- p->Z_is_one = 0;
return 1;
}
/*-
- * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi
+ * Input:
+ * - s, r: projective (homogeneous) coordinates
+ * - p: affine coordinates
+ *
+ * Output:
+ * - s := r + s, r := 2r: projective (homogeneous) coordinates
+ *
+ * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi
* "A fast parallel elliptic curve multiplication resistant against side channel
* attacks", as described at
- * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4
+ * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-mladd-2002-it-4
*/
int ec_GFp_simple_ladder_step(const EC_GROUP *group,
EC_POINT *r, EC_POINT *s,
EC_POINT *p, BN_CTX *ctx)
{
int ret = 0;
- BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6, *t7 = NULL;
+ BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
BN_CTX_start(ctx);
t0 = BN_CTX_get(ctx);
@@ -1546,50 +1568,47 @@ int ec_GFp_simple_ladder_step(const EC_GROUP *group,
t4 = BN_CTX_get(ctx);
t5 = BN_CTX_get(ctx);
t6 = BN_CTX_get(ctx);
- t7 = BN_CTX_get(ctx);
- if (t7 == NULL
- || !group->meth->field_mul(group, t0, r->X, s->X, ctx)
- || !group->meth->field_mul(group, t1, r->Z, s->Z, ctx)
- || !group->meth->field_mul(group, t2, r->X, s->Z, ctx)
+ if (t6 == NULL
+ || !group->meth->field_mul(group, t6, r->X, s->X, ctx)
+ || !group->meth->field_mul(group, t0, r->Z, s->Z, ctx)
+ || !group->meth->field_mul(group, t4, r->X, s->Z, ctx)
|| !group->meth->field_mul(group, t3, r->Z, s->X, ctx)
- || !group->meth->field_mul(group, t4, group->a, t1, ctx)
- || !BN_mod_add_quick(t0, t0, t4, group->field)
- || !BN_mod_add_quick(t4, t3, t2, group->field)
- || !group->meth->field_mul(group, t0, t4, t0, ctx)
- || !group->meth->field_sqr(group, t1, t1, ctx)
- || !BN_mod_lshift_quick(t7, group->b, 2, group->field)
- || !group->meth->field_mul(group, t1, t7, t1, ctx)
- || !BN_mod_lshift1_quick(t0, t0, group->field)
- || !BN_mod_add_quick(t0, t1, t0, group->field)
- || !BN_mod_sub_quick(t1, t2, t3, group->field)
- || !group->meth->field_sqr(group, t1, t1, ctx)
- || !group->meth->field_mul(group, t3, t1, p->X, ctx)
- || !group->meth->field_mul(group, t0, p->Z, t0, ctx)
- /* s->X coord output */
- || !BN_mod_sub_quick(s->X, t0, t3, group->field)
- /* s->Z coord output */
- || !group->meth->field_mul(group, s->Z, p->Z, t1, ctx)
- || !group->meth->field_sqr(group, t3, r->X, ctx)
- || !group->meth->field_sqr(group, t2, r->Z, ctx)
- || !group->meth->field_mul(group, t4, t2, group->a, ctx)
- || !BN_mod_add_quick(t5, r->X, r->Z, group->field)
- || !group->meth->field_sqr(group, t5, t5, ctx)
- || !BN_mod_sub_quick(t5, t5, t3, group->field)
- || !BN_mod_sub_quick(t5, t5, t2, group->field)
- || !BN_mod_sub_quick(t6, t3, t4, group->field)
- || !group->meth->field_sqr(group, t6, t6, ctx)
- || !group->meth->field_mul(group, t0, t2, t5, ctx)
- || !group->meth->field_mul(group, t0, t7, t0, ctx)
- /* r->X coord output */
- || !BN_mod_sub_quick(r->X, t6, t0, group->field)
+ || !group->meth->field_mul(group, t5, group->a, t0, ctx)
+ || !BN_mod_add_quick(t5, t6, t5, group->field)
|| !BN_mod_add_quick(t6, t3, t4, group->field)
- || !group->meth->field_sqr(group, t3, t2, ctx)
- || !group->meth->field_mul(group, t7, t3, t7, ctx)
- || !group->meth->field_mul(group, t5, t5, t6, ctx)
+ || !group->meth->field_mul(group, t5, t6, t5, ctx)
+ || !group->meth->field_sqr(group, t0, t0, ctx)
+ || !BN_mod_lshift_quick(t2, group->b, 2, group->field)
+ || !group->meth->field_mul(group, t0, t2, t0, ctx)
|| !BN_mod_lshift1_quick(t5, t5, group->field)
+ || !BN_mod_sub_quick(t3, t4, t3, group->field)
+ /* s->Z coord output */
+ || !group->meth->field_sqr(group, s->Z, t3, ctx)
+ || !group->meth->field_mul(group, t4, s->Z, p->X, ctx)
+ || !BN_mod_add_quick(t0, t0, t5, group->field)
+ /* s->X coord output */
+ || !BN_mod_sub_quick(s->X, t0, t4, group->field)
+ || !group->meth->field_sqr(group, t4, r->X, ctx)
+ || !group->meth->field_sqr(group, t5, r->Z, ctx)
+ || !group->meth->field_mul(group, t6, t5, group->a, ctx)
+ || !BN_mod_add_quick(t1, r->X, r->Z, group->field)
+ || !group->meth->field_sqr(group, t1, t1, ctx)
+ || !BN_mod_sub_quick(t1, t1, t4, group->field)
+ || !BN_mod_sub_quick(t1, t1, t5, group->field)
+ || !BN_mod_sub_quick(t3, t4, t6, group->field)
+ || !group->meth->field_sqr(group, t3, t3, ctx)
+ || !group->meth->field_mul(group, t0, t5, t1, ctx)
+ || !group->meth->field_mul(group, t0, t2, t0, ctx)
+ /* r->X coord output */
+ || !BN_mod_sub_quick(r->X, t3, t0, group->field)
+ || !BN_mod_add_quick(t3, t4, t6, group->field)
+ || !group->meth->field_sqr(group, t4, t5, ctx)
+ || !group->meth->field_mul(group, t4, t4, t2, ctx)
+ || !group->meth->field_mul(group, t1, t1, t3, ctx)
+ || !BN_mod_lshift1_quick(t1, t1, group->field)
/* r->Z coord output */
- || !BN_mod_add_quick(r->Z, t7, t5, group->field))
+ || !BN_mod_add_quick(r->Z, t4, t1, group->field))
goto err;
ret = 1;
@@ -1600,17 +1619,23 @@ int ec_GFp_simple_ladder_step(const EC_GROUP *group,
}
/*-
+ * Input:
+ * - s, r: projective (homogeneous) coordinates
+ * - p: affine coordinates
+ *
+ * Output:
+ * - r := (x,y): affine coordinates
+ *
* Recovers the y-coordinate of r using Eq. (8) from Brier-Joye, "Weierstrass
- * Elliptic Curves and Side-Channel Attacks", modified to work in projective
- * coordinates and return r in Jacobian projective coordinates.
+ * Elliptic Curves and Side-Channel Attacks", modified to work in mixed
+ * projective coords, i.e. p is affine and (r,s) in projective (homogeneous)
+ * coords, and return r in affine coordinates.
*
- * X4 = two*Y1*X2*Z3*Z2*Z1;
- * Y4 = two*b*Z3*SQR(Z2*Z1) + Z3*(a*Z2*Z1+X1*X2)*(X1*Z2+X2*Z1) - X3*SQR(X1*Z2-X2*Z1);
- * Z4 = two*Y1*Z3*SQR(Z2)*Z1;
+ * X4 = two*Y1*X2*Z3*Z2;
+ * Y4 = two*b*Z3*SQR(Z2) + Z3*(a*Z2+X1*X2)*(X1*Z2+X2) - X3*SQR(X1*Z2-X2);
+ * Z4 = two*Y1*Z3*SQR(Z2);
*
* Z4 != 0 because:
- * - Z1==0 implies p is at infinity, which would have caused an early exit in
- * the caller;
* - Z2==0 implies r is at infinity (handled by the BN_is_zero(r->Z) branch);
* - Z3==0 implies s is at infinity (handled by the BN_is_zero(s->Z) branch);
* - Y1==0 implies p has order 2, so either r or s are infinity and handled by
@@ -1627,11 +1652,7 @@ int ec_GFp_simple_ladder_post(const EC_GROUP *group,
return EC_POINT_set_to_infinity(group, r);
if (BN_is_zero(s->Z)) {
- /* (X,Y,Z) -> (XZ,YZ**2,Z) */
- if (!group->meth->field_mul(group, r->X, p->X, p->Z, ctx)
- || !group->meth->field_sqr(group, r->Z, p->Z, ctx)
- || !group->meth->field_mul(group, r->Y, p->Y, r->Z, ctx)
- || !BN_copy(r->Z, p->Z)
+ if (!EC_POINT_copy(r, p)
|| !EC_POINT_invert(group, r, ctx))
return 0;
return 1;
@@ -1647,38 +1668,46 @@ int ec_GFp_simple_ladder_post(const EC_GROUP *group,
t6 = BN_CTX_get(ctx);
if (t6 == NULL
- || !BN_mod_lshift1_quick(t0, p->Y, group->field)
- || !group->meth->field_mul(group, t1, r->X, p->Z, ctx)
- || !group->meth->field_mul(group, t2, r->Z, s->Z, ctx)
- || !group->meth->field_mul(group, t2, t1, t2, ctx)
- || !group->meth->field_mul(group, t3, t2, t0, ctx)
- || !group->meth->field_mul(group, t2, r->Z, p->Z, ctx)
- || !group->meth->field_sqr(group, t4, t2, ctx)
- || !BN_mod_lshift1_quick(t5, group->b, group->field)
- || !group->meth->field_mul(group, t4, t4, t5, ctx)
- || !group->meth->field_mul(group, t6, t2, group->a, ctx)
- || !group->meth->field_mul(group, t5, r->X, p->X, ctx)
- || !BN_mod_add_quick(t5, t6, t5, group->field)
- || !group->meth->field_mul(group, t6, r->Z, p->X, ctx)
- || !BN_mod_add_quick(t2, t6, t1, group->field)
- || !group->meth->field_mul(group, t5, t5, t2, ctx)
- || !BN_mod_sub_quick(t6, t6, t1, group->field)
- || !group->meth->field_sqr(group, t6, t6, ctx)
- || !group->meth->field_mul(group, t6, t6, s->X, ctx)
- || !BN_mod_add_quick(t4, t5, t4, group->field)
- || !group->meth->field_mul(group, t4, t4, s->Z, ctx)
- || !BN_mod_sub_quick(t4, t4, t6, group->field)
- || !group->meth->field_sqr(group, t5, r->Z, ctx)
- || !group->meth->field_mul(group, r->Z, p->Z, s->Z, ctx)
- || !group->meth->field_mul(group, r->Z, t5, r->Z, ctx)
- || !group->meth->field_mul(group, r->Z, r->Z, t0, ctx)
- /* t3 := X, t4 := Y */
- /* (X,Y,Z) -> (XZ,YZ**2,Z) */
- || !group->meth->field_mul(group, r->X, t3, r->Z, ctx)
+ || !BN_mod_lshift1_quick(t4, p->Y, group->field)
+ || !group->meth->field_mul(group, t6, r->X, t4, ctx)
+ || !group->meth->field_mul(group, t6, s->Z, t6, ctx)
+ || !group->meth->field_mul(group, t5, r->Z, t6, ctx)
+ || !BN_mod_lshift1_quick(t1, group->b, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
|| !group->meth->field_sqr(group, t3, r->Z, ctx)
- || !group->meth->field_mul(group, r->Y, t4, t3, ctx))
+ || !group->meth->field_mul(group, t2, t3, t1, ctx)
+ || !group->meth->field_mul(group, t6, r->Z, group->a, ctx)
+ || !group->meth->field_mul(group, t1, p->X, r->X, ctx)
+ || !BN_mod_add_quick(t1, t1, t6, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
+ || !group->meth->field_mul(group, t0, p->X, r->Z, ctx)
+ || !BN_mod_add_quick(t6, r->X, t0, group->field)
+ || !group->meth->field_mul(group, t6, t6, t1, ctx)
+ || !BN_mod_add_quick(t6, t6, t2, group->field)
+ || !BN_mod_sub_quick(t0, t0, r->X, group->field)
+ || !group->meth->field_sqr(group, t0, t0, ctx)
+ || !group->meth->field_mul(group, t0, t0, s->X, ctx)
+ || !BN_mod_sub_quick(t0, t6, t0, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t4, ctx)
+ || !group->meth->field_mul(group, t1, t3, t1, ctx)
+ || (group->meth->field_decode != NULL
+ && !group->meth->field_decode(group, t1, t1, ctx))
+ || !group->meth->field_inv(group, t1, t1, ctx)
+ || (group->meth->field_encode != NULL
+ && !group->meth->field_encode(group, t1, t1, ctx))
+ || !group->meth->field_mul(group, r->X, t5, t1, ctx)
+ || !group->meth->field_mul(group, r->Y, t0, t1, ctx))
goto err;
+ if (group->meth->field_set_to_one != NULL) {
+ if (!group->meth->field_set_to_one(group, r->Z, ctx))
+ goto err;
+ } else {
+ if (!BN_one(r->Z))
+ goto err;
+ }
+
+ r->Z_is_one = 1;
ret = 1;
err:
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index f28f2d2610..41625e75ad 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -508,6 +508,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
ret = 1;
break;
}
+ if ((x->ex_flags & EXFLAG_CA) == 0
+ && x->ex_pathlen != -1
+ && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
+ ret = 0;
+ }
if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK))
return 0;
/* check_purpose() makes the callback as needed */
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 2bc8253d2d..2eaad1a763 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -384,12 +384,16 @@ static void x509v3_cache_extensions(X509 *x)
if (bs->ca)
x->ex_flags |= EXFLAG_CA;
if (bs->pathlen) {
- if ((bs->pathlen->type == V_ASN1_NEG_INTEGER)
- || !bs->ca) {
+ if (bs->pathlen->type == V_ASN1_NEG_INTEGER) {
x->ex_flags |= EXFLAG_INVALID;
x->ex_pathlen = 0;
- } else
+ } else {
x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
+ if (!bs->ca && x->ex_pathlen != 0) {
+ x->ex_flags |= EXFLAG_INVALID;
+ x->ex_pathlen = 0;
+ }
+ }
} else
x->ex_pathlen = -1;
BASIC_CONSTRAINTS_free(bs);
diff --git a/doc/man3/EVP_aes.pod b/doc/man3/EVP_aes.pod
index 4192a9ec36..7db48a427f 100644
--- a/doc/man3/EVP_aes.pod
+++ b/doc/man3/EVP_aes.pod
@@ -160,6 +160,13 @@ In particular, XTS-AES-128 (B<EVP_aes_128_xts>) takes input of a 256-bit key to
achieve AES 128-bit security, and XTS-AES-256 (B<EVP_aes_256_xts>) takes input
of a 512-bit key to achieve AES 256-bit security.
+The XTS implementation in OpenSSL does not support streaming. That is there must
+only be one L<EVP_EncryptUpdate(3)> call per L<EVP_EncryptInit_ex(3)> call (and
+similarly with the "Decrypt" functions).
+
+The I<iv> parameter to L<EVP_EncryptInit_ex(3)> or L<EVP_DecryptInit_ex(3)> is
+the XTS "tweak" value.
+
=back
=head1 RETURN VALUES
diff --git a/test/certs/ee-pathlen.pem b/test/certs/ee-pathlen.pem
new file mode 100644
index 0000000000..0bcae1d7bd
--- /dev/null
+++ b/test/certs/ee-pathlen.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICszCCAZugAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
+Fw0yMDA0MDMwODA0MTVaGA8yMTIwMDQwNDA4MDQxNVowGTEXMBUGA1UEAwwOc2Vy
+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
+iIQPYf55NB9KiR+3AgMBAAGjEDAOMAwGA1UdEwQFMAMCAQAwDQYJKoZIhvcNAQEL
+BQADggEBAApOUnWWd09I0ts3xa1oK7eakc+fKTF4d7pbGznFNONaCR3KFRgnBVlG
+Bm8/oehrrQ28Ad3XPSug34DQQ5kM6JIuaddx50/n4Xkgj8/fgXVA0HXizOJ3QpKC
+IojLVajXlQHhpo72VUQuNOha0UxG9daYjS20iXRhanTm9rUz7qQZEugVQCiR0z/f
+9NgM7FU9UaSidzH3gZu/Ufc4Ggn6nZV7LM9sf4IUV+KszS1VpcK+9phAmsB6BaAi
+cFXvVXZjTNualQgPyPwOD8c+vVCIfIemfF5TZ6fyqpOjprWQAphwrTtfNDSmqRTz
+FRhDf+vJERQclgUtg37EgWGKtnNQeRY=
+-----END CERTIFICATE-----
diff --git a/test/certs/setup.sh b/test/certs/setup.sh
index 2d53ea5b08..bbe4842a51 100755
--- a/test/certs/setup.sh
+++ b/test/certs/setup.sh
@@ -154,7 +154,7 @@ openssl x509 -in sca-cert.pem -trustout \
-addtrust anyExtendedKeyUsage -out sca+anyEKU.pem
# Primary leaf cert: ee-cert
-# ee variants: expired, issuer-key2, issuer-name2
+# ee variants: expired, issuer-key2, issuer-name2, bad-pathlen
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
# purpose variants: client
#
@@ -163,6 +163,8 @@ openssl x509 -in sca-cert.pem -trustout \
./mkcert.sh genee server.example ee-key ee-cert2 ca-key2 ca-cert2
./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
+./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \
+ -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0")
#
openssl x509 -in ee-cert.pem -trustout \
-addtrust serverAuth -out ee+serverAuth.pem
diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t
index b80a1cde3e..0e0f5dca21 100644
--- a/test/recipes/25-test_verify.t
+++ b/test/recipes/25-test_verify.t
@@ -27,7 +27,7 @@ sub verify {
run(app([@args]));
}
-plan tests => 135;
+plan tests => 137;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
@@ -222,6 +222,10 @@ ok(verify("ee-client", "sslclient", [qw(ee+clientAuth)], [], "-partial_chain"),
"accept direct match with client trust");
ok(!verify("ee-client", "sslclient", [qw(ee-clientAuth)], [], "-partial_chain"),
"reject direct match with client mistrust");
+ok(verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)]),
+ "accept non-ca with pathlen:0 by default");
+ok(!verify("ee-pathlen", "sslserver", [qw(root-cert)], [qw(ca-cert)], "-x509_strict"),
+ "reject non-ca with pathlen:0 with strict flag");
# Proxy certificates
ok(!verify("pc1-cert", "sslclient", [qw(root-cert)], [qw(ee-client ca-cert)]),
diff --git a/test/sm2_internal_test.c b/test/sm2_internal_test.c
index 952f688e8b..f7e4e38d03 100644
--- a/test/sm2_internal_test.c
+++ b/test/sm2_internal_test.c
@@ -32,17 +32,18 @@ static size_t fake_rand_size = 0;
static int get_faked_bytes(unsigned char *buf, int num)
{
- int i;
-
if (fake_rand_bytes == NULL)
return saved_rand->bytes(buf, num);
- if (!TEST_size_t_le(fake_rand_bytes_offset + num, fake_rand_size))
+ if (!TEST_size_t_gt(fake_rand_size, 0))
return 0;
- for (i = 0; i != num; ++i)
- buf[i] = fake_rand_bytes[fake_rand_bytes_offset + i];
- fake_rand_bytes_offset += num;
+ while (num-- > 0) {
+ if (fake_rand_bytes_offset >= fake_rand_size)
+ fake_rand_bytes_offset = 0;
+ *buf++ = fake_rand_bytes[fake_rand_bytes_offset++];
+ }
+
return 1;
}
@@ -175,8 +176,7 @@ static int test_sm2_crypt(const EC_GROUP *group,
start_fake_rand(k_hex);
if (!TEST_true(sm2_encrypt(key, digest, (const uint8_t *)message, msg_len,
- ctext, &ctext_len))
- || !TEST_size_t_eq(fake_rand_bytes_offset, fake_rand_size)) {
+ ctext, &ctext_len))) {
restore_rand();
goto done;
}
@@ -296,8 +296,7 @@ static int test_sm2_sign(const EC_GROUP *group,
start_fake_rand(k_hex);
sig = sm2_do_sign(key, EVP_sm3(), (const uint8_t *)userid, strlen(userid),
(const uint8_t *)message, msg_len);
- if (!TEST_ptr(sig)
- || !TEST_size_t_eq(fake_rand_bytes_offset, fake_rand_size)) {
+ if (!TEST_ptr(sig)) {
restore_rand();
goto done;
}

12
openssl-1.1.1-version-override.patch
View File

@ -1,12 +1,12 @@
diff -up openssl-1.1.1f/include/openssl/opensslv.h.version-override openssl-1.1.1f/include/openssl/opensslv.h
--- openssl-1.1.1f/include/openssl/opensslv.h.version-override 2020-04-07 16:46:21.792998242 +0200
+++ openssl-1.1.1f/include/openssl/opensslv.h 2020-04-07 16:47:18.919962564 +0200
diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.1g/include/openssl/opensslv.h
--- openssl-1.1.1g/include/openssl/opensslv.h.version-override 2020-04-23 13:29:37.802673513 +0200
+++ openssl-1.1.1g/include/openssl/opensslv.h 2020-04-23 13:30:13.064008458 +0200
@@ -40,7 +40,7 @@ extern "C" {
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x1010106fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1f 31 Mar 2020"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1f FIPS 31 Mar 2020"
# define OPENSSL_VERSION_NUMBER 0x1010107fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g 21 Apr 2020"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g FIPS 21 Apr 2020"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)

81
openssl.spec
View File

@ -21,8 +21,8 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1f
Release: 1.0.riscv64%{?dist}
Version: 1.1.1g
Release: 14.0.riscv64%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -62,15 +62,23 @@ Patch47: openssl-1.1.1-ts-sha256-default.patch
Patch48: openssl-1.1.1-fips-post-rand.patch
Patch49: openssl-1.1.1-evp-kdf.patch
Patch50: openssl-1.1.1-ssh-kdf.patch
Patch51: openssl-1.1.1-intel-cet.patch
Patch60: openssl-1.1.1-krb5-kdf.patch
Patch61: openssl-1.1.1-intel-cet.patch
Patch61: openssl-1.1.1-edk2-build.patch
Patch62: openssl-1.1.1-fips-curves.patch
Patch65: openssl-1.1.1-fips-drbg-selftest.patch
Patch66: openssl-1.1.1-fips-dh.patch
Patch67: openssl-1.1.1-kdf-selftest.patch
Patch68: openssl-1.1.1-reneg-no-extms.patch
Patch69: openssl-1.1.1-alpn-cb.patch
Patch70: openssl-1.1.1-rewire-fips-drbg.patch
# Backported fixes including security fixes
Patch52: openssl-1.1.1-s390x-update.patch
Patch53: openssl-1.1.1-fips-crng-test.patch
Patch54: openssl-1.1.1-upstream-sync.patch
Patch55: openssl-1.1.1-arm-update.patch
Patch56: openssl-1.1.1-s390x-ecc.patch
License: OpenSSL
License: OpenSSL and ASL 2.0
URL: http://www.openssl.org/
BuildRequires: gcc
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
@ -167,12 +175,20 @@ cp %{SOURCE13} test/
%patch48 -p1 -b .fips-post-rand
%patch49 -p1 -b .evp-kdf
%patch50 -p1 -b .ssh-kdf
%patch51 -p1 -b .intel-cet
%patch52 -p1 -b .s390x-update
%patch53 -p1 -b .crng-test
%patch55 -p1 -b .arm-update
%patch56 -p1 -b .s390x-ecc
%patch60 -p1 -b .krb5-kdf
%patch61 -p1 -b .intel-cet
%patch61 -p1 -b .edk2-build
%patch62 -p1 -b .fips-curves
%patch65 -p1 -b .drbg-selftest
%patch54 -p1 -b .upstream-sync
%patch66 -p1 -b .fips-dh
%patch67 -p1 -b .kdf-selftest
%patch68 -p1 -b .reneg-no-extms
%patch69 -p1 -b .alpn-cb
%patch70 -p1 -b .rewire-fips-drbg
%build
@ -314,7 +330,7 @@ make test
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
# Install OpenSSL.
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
make DESTDIR=$RPM_BUILD_ROOT install
%make_install
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
chmod 755 ${lib}
@ -462,9 +478,56 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs
%changelog
* Sun Apr 12 2020 David Abdurachmanov <david.abdurachmanov@sifive.com> 1.1.1f-1.0.riscv64
* Thu Jul 23 2020 David Abdurachmanov <david.abdurachmanov@sifive.com> 1:1.1.1g-14.0.riscv64
- Add --libdir=%{_lib} for riscv64 (uses linux-generic64)
* Tue Jul 21 2020 Tom Stellard <tstellar@redhat.com> - 1:1.1.1g-14
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-13
- Additional FIPS mode check for EC key generation
* Fri Jul 17 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-12
- Further changes for SP 800-56A rev3 requirements
* Mon Jun 22 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-11
- Drop long ago obsolete part of the FIPS patch
* Mon Jun 22 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-10
- Rewire FIPS_drbg API to use the RAND_DRBG
* Fri Jun 5 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-9
- Disallow dropping Extended Master Secret extension
on renegotiation
- Return alert from s_server if ALPN protocol does not match
- SHA1 is allowed in @SECLEVEL=2 only if allowed by
TLS SigAlgs configuration
* Wed Jun 3 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-8
- Add FIPS selftest for PBKDF2 and KBKDF
* Tue May 26 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-7
- Use the well known DH groups in TLS
* Mon May 25 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-6
- Allow only well known DH groups in the FIPS mode
* Thu May 21 2020 Adam Williamson <awilliam@redhat.com> - 1.1.1g-5
- Re-apply the change from -2 now we have fixed nosync to work with it
* Tue May 19 2020 Adam Williamson <awilliam@redhat.com> - 1.1.1g-4
- Revert the change from -2 as it seems to cause segfaults in systemd
* Mon May 18 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-3
- pull some fixes and improvements from RHEL-8
* Fri May 15 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-2
- FIPS module installed state definition is modified
* Thu Apr 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-1
- update to the 1.1.1g release
* Tue Apr 7 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1f-1
- update to the 1.1.1f release

2
sources
View File

@ -1 +1 @@
SHA512 (openssl-1.1.1f-hobbled.tar.xz) = 551feb19c8606e86d03b05ef47294cc47048e1e2e33e0474b2e309984e034c72e04b120740e3b1aeca275fa4c52138830a724d09a861d51c133b6baa754e23d2
SHA512 (openssl-1.1.1g-hobbled.tar.xz) = 7cd351d8fd4a028edcdc6804d8b73af7ff5693ab96cafd4f9252534d4e8e9000e22aefa45f51db490da52d89f4e5b41d02452be0b516fbb0fe84e36d5ca54971

5
tests/tests_python.yml
View File

@ -10,8 +10,9 @@
tests:
- python_selftest:
dir: python/selftest
run: VERSION=3.7 X="test_ssl test_asyncio test_hashlib test_ftplib test_httplib test_imaplib test_logging test_nntplib test_poplib test_urllib2_localnet test_urllib test_xmlrpc" ./parallel.sh
run: X="test_ssl test_asyncio test_hashlib test_ftplib test_httplib test_imaplib test_logging test_nntplib test_poplib test_urllib2_localnet test_urllib test_xmlrpc" ./parallel.sh
required_packages:
- gcc # for extension building in venv and selftest
- python3-tkinter # for selftest
- python3-test # for selftest
- python3-test # for selftest
- python3-rpm-macros # for dynamic python version